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(54) Data network security system and method 

(57) A secure communication mechanism for com- 
municating credit card or other sensitive information 
between a user terminal (104) and a server (101) which 
communicate over a data network (e.g., Internet) (102). 
For secure or private communication of sensitive infor- 
mation over a data networK a telephone connection is 
established between the originating server (107) to 
which the user is connected for access to the data net- 
work and the SP (101) to which the sensitive informa- 
tion is directed. The method and system provide for a 

I 
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secure electronic commercial transaction between a 
user and a service provider which charges for informa- 
tion and/or services and/or goods, wherein sensitive 
information includes credit card information transmitted 
from the user to the service provider, and/or electronic 
information or services transmitted from the service pro- 
vider to the user in exchange for payment received from 
the user. 



FIQ. / 




loi-JwrbiiuAnoM service 



CO 

o 

Q. 

Ill 

XX;tD; <EP 0801479A1 I > 



Primed by Rank Xerox {UK) Business Services 
2.14.16;3.4 



1 



EP 0 801 479 A1 



2 



Description 
Technical Field 

This invention relates generally to secure communi- 
cations over data networks, and particularly to a method 
for secure transactions for Information, interactive serv- 
ices, and secure payment for other services and goods 
that may be purchased over data networks. 

Background of the Invention 

Currently, a multitude of services are available to 
users over data networks such as the Internet. These 
services include information and Interactive services 
deliverable over the networK and goods and services 
that may be shopped for and ordered over the network 
but are not deliverable over the network (e.g.. clothing, 
food, etc.). Despite the plethora of available services 
and the apparent convenience for consumers of virtual 
shopping from electronic merchants or service provid- 
ers (SPs), Individuals are generally wary of electronic 
shopping and particularly, are reluctant to send credit 
card or other sensitive Information over the Internet, 
since it is well publicized that personal credit card infor- 
mation should not be transmitted over a public data net- 
work, which may be subject to unauthorized access. It is 
also well publicized that Individuals have cracked secu- 
rity coding mechanisms (e.g., RSA encryption) used in 
commercial software for secure communications on the 
Internet. It is therefore possible, for instance, that while 
en route to a targeted SP, encrypted credit card or other 
sensitive Information may be intercepted at intervening 
routers by "hackers" or other eavesdroppers, who can 
decrypt the Information. 

Some providers of "non-electronlcally" delivered 
goods or services (e.g.. goods delivered off-line; e.g., 
food, clothing, etc.) provide an option for avoiding send- 
ing sensitive information over the Internet by posting 
800 telephone numbers that a user later calls off-line to 
pay for the goods or services which were ordered (but 
not paid for) over the Internet. This approach, however, 
is not only cumbersome, thus negating the appeal and 
purpose of virtual shopping and on-line purchasing of 
goods and services, but Is also not suited as a payment 
method for goods and services (including information) 
which are delivered over the Internet (referred to herein- 
after as "electronic goods"), and which are preferably 
delivered interactively In one session as part of a single 
transaction. 

It may be understood that the lack of a secure trans- 
action mechanism limits the further development of the 
Internet, the availability of service providers to users, 
and particularly the viability of smaller SPs. It is known 
that In addition to providing gateway access to the Inter- 
net and the thousands of small service providers 
around the world, large information service providers 
such as Prodigy. America Online and Compuserve pro- 
vide their own information and Interactive services. 



Users may also access the Internet and the thousands 
of smaller information service providers (ISPs) directly 
through smaller user-local Internet access providers. 
Generally, the large information service providers bill 

5 their customers on a time-usage basis after a financial 
payment relationship has been established, with the 
user/customer receiving a monthly bill which may 
include additional charges for usage of certain informa- 
tion and services and which is paid via the conventional 

70 postage system. Similarly, the smaller user-local Inter- 
net access providers usually also base their service 
charges to their subscribers for access to the Internet 
on a time-usage basis. 

The smaller ISPs, however, currently either do not 

15 charge for access to their Information and interactive 
services, or, if they do. also require the user to establish 
some sort of financial relationship whereby the user 
subscribes to the ISP and pays a bill via the conven- 
tional postage system. A frequent user of a particular 

20 established ISP may not be adverse to establishing a 
financial relationship for payment purposes. Typically, 
however, and in accordance with a fundamental con- 
cept of using the Internet (e.g.. "surfing the net" using 
Web browsers which link websites by hypertext), a user 

25 accesses many different ISPs, each on only a casual 
and often unanticipated basis, and is not likely to want 
or be able to establish a plethora of financial relation- 
ships with so many different providers. ISPs that do or 
want to charge for access to their information and/or 

30 Interactive services could do so by requiring the user to 
input their credit card number before data service is pro- 
vided. Yet, as discussed above, users are loath to send- 
ing credit card information over the Internet, and 
therefore, would likely eschew such ISPs, who are typi- 

35 cally smaller ISPs. 

Accordingly, It may be appreciated that from the 
standpoint of the user/consumer, such a security and 
privacy risk effectively preempts the ostensible conven- 
ience of services available over data networks, and also 

40 limits the actual availability of information and interac- 
tive services to those which are free of charge or are 
charged within the purview of existing financial relation- 
ships (e.g., information from a user's service provider). 
From the standpoint of tiie SPs, tine absence of a secure 

45 on-line billing mechanism limits tine virtual marketplace, 
and Its potential returns. In addition, the lack of a secure 
payment mechanism limits the number of SPs which 
can enter this marketplace, thereby limiting competition 
which would also likely benefit users/consumers, 

50 There is a need, therefore, for improved secure 
communication methods over data networks, and par- 
ticularly for inrproved methods which provide enhanced 
security for users to send credit card or other sensitive 
information to Internet SPs. 

55 

Summary of the Invention 

The present Invention overcomes tiie above, and 
other, prior art limitations by providing a secure commu- 
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Plication mecfianism which does not require credit card 
or other sensitive information to be transmitted over the 
data network (e.g., Internet) to a SP which charges for 
information and/or services and/or goods (Including 
non-efectronically delivered and electronically delivered 5 
goods). In accordance with the present invention, for 
secure or private communication of sensitive infomation 
over a data networK a telephone connection is estab- 
lished between the originating server to which the user 
Is connected for access to the data network and the SP w 
to which the sensitive information Is directed. 

In accordance with an embodiment of the invention, 
the telephone connection is established for user pay- 
ment to an ISP for receiving from the ISP Information 
and/or Interactive services via the data network such as is 
the Internet (i.e. electronically delivered goods or serv- 
ices) and/or for paying an ISP for non-electronlcally 
delivered goods or services ordered over the Internet. 
Users access a terminating ^SP server from an originat- 
ing access SP server as they usually do on a first con- 20 
nection over the Internet or any other data network via 
routing point servers, using a technology such as Web 
client/server technology. 

Any communications or transactions to a terminat- 
ing ISP server involving credit card or other sensitive 2S 
Information are effected, however, on a second connec- 
tion through a telephone call placed to a telephone 
number of the terminating ISP server. After receiving a 
call, and by associating such call with the user's request 
over the Internet for information and/or interactive serv- 30 
ices, and/or non-electronlcally deliverable goods or 
services, the ISP provides the user with the requested 
Information and/or service, or approves delivery of the 
non-electronlcally deliverable goods or services. With 
the arrangement, payment is effected without providing 3s 
credit card information via the Internet routing servers 
and without establishing a financial relationship with the 
ISP. Preferably, the communication of information over 
the telephone line between the originating server and 
the terminating ISP server is also subject to encryption. 40 

In one embodiment of the Invention when, based on 
actions of the user accessing the data network via an 
originating access SP server, if a terminating ISP 
requires credit cai*d or sensitive information from the 
user, the terminating ISP verifies that the originating 45 
access SP server supports the security mechanism. 
Upon verification from the originating access SP server, 
the terminating ISP server reserves a telephone 
number associated with the terminating ISP server, and 
transmits the telephone number over the data network so 
to the originating access SP server. The originating 
access SP server then calls the terminating ISP server 
via the received telephone number to establish a tele- 
phone connection. Sensitive information is then com- 
municated via the telephone connection, after which the 55 
telephone connection Is terminated. 

In another embodiment, the user may selectively 
Invoke secure communications (e.g. by clicking on an 
icon on the user's terminal screen) to communicate to 
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the user's originating access SP server (or, to the termi- 
nating ISP server) that a secure communication link 
over the telephone line should be established with the 
terminating ISP server (originating access SP server) 
for communicating sensitive information from the user to 
the terminating ISP. The originating access SP server 
(the terminating ISP) then verifies that the terminating 
ISP server (originating access SP server) supports the 
secure communication mechanism. Upon verification, a 
telephone connection Is established between the origi- 
nating access SP server and the terminating ISP server, 
and the sensitive information is communicated. The tel- 
ephone connection is terminated in accordance with 
user commands or the transmitted information Itself. In 
a further related embodiment, when a transaction of 
sensitive information Is to occur but the user does not 
choose to invoke a secure telephone connection for 
sending credit card information but relies on conven- 
tional mechanisms, the terminating ISP server can initi- 
ate establishment of a secure telephone communication 
link with the originating access SP server in order to 
send electronic goods/services to the user. 

In a similar embodiment, the user's originating 
access SP server initiates establishment of a secure tel- 
ephone communication link with the terminating ISP 
server upon identifying a communication from the user 
that Includes sensitive or private Information. 

Brief Description of the Drawings 

The invention wilt be described in greater detail 
below by way of reference to the accompanying draw- 
ings, wherein: 

FIG. 1 illustrates a system in accordance with the 
present invention, which provides users access to 
Information and/or services on a data network, 
such as the Internet, and provides for secure com- 
munication of sensitive information through a tele- 
phone network for transactions Involving the 
information and/or services; 
FIG. 2 illustrates functional components of an inter- 
exchange telephone network over which the tele- 
phone connection for secure communication is 
established in accordance with the present Inven- 
tion; 

FIG. 3 Is a functional block diagram representation 
applicable to both ISP 101 and Internet Access Pro- 
vider 107 showing the relationship between the ele- 
ments that interact with the Internet and those that 
Interact with the telephone network; 
FIG. 4 is a flowchart illustrating a payment mecha- 
nism according to the data network security method 
and system of the present invention in which a 
secure telephone connection is established by initi- 
ation of ISP in recognition of certain actions by the 
user; and 

FIG. 5 is a flowchart illustrating another embodi- 
ment of the data network security method and sys- 
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tern of the present invention in which a telephone 
connection is established by initiation of Internet 
access provider In recognition of certain actions by 
the user. 

5 

Detailed Description 

With reference to FIG. 1. a system is shown which 
provides access for users on a data network to informa- 
tion and/or interactive services, and for a secure com- io 
municatron mechanism on a telephone network for the 
provision of those services. For purposes of illustration 
and clarity of exposition, it will be assumed that the data 
network is the Internet, and that the secure communica- 
tion involves providing user credit card information to a is 
service provider (SP) as payment for providing informa- 
tion and/or interactive services, including electronically 
deliverable and/or non-electronically deliverable goods 
and services. It is understood, however, that the present 
invention is not limited to secure payment communica- 20 
tions, or to payment for information and/or interactive 
services only on the Internet. 

In FIG. 1. a single ISP 101 is shown connected to 
the Internet network 1 02. It should be appreciated, how- 
ever, that a multitude of ISPs are connected to the Inter- 25 
net and are available for access to the multitude of users 
around the world having access to the Internet. It may 
also be appreciated that Internet network 102 schemat- 
ically represents an interconnection of network nodes 
which include router and/or gateway servers, which may 30 
themselves include or be part of websites and/or ISPs. 
Similarly, ISP 101 may itself include Internet router 
and/or gateway servers. Connection between the ISP 
101 and the Internet 102 is over T1 digital transmission 
facilities 103, or other high speed transmission lines. A 35 
user desiring access to the information and/or interac- 
tive services available over the Internet from ISP 101 
may be an individual who accesses the Internet through 
his terminal 104. Terminal 104 can be connected to the 
Internet 1 02 over a POTS telephone connection 1 05 to 40 
the user's local exchange carrier (LEG) network 106 
through a modem (not shown). From the LEG 106. con- 
nection is made to a user-local Internet access provider 
107, which provides access to the Internet over T1 dig- 
ital transmission facilities 108. Internet access provider 45 
107 can dial a telephone number for establishing a call 
via LEG 106. Similarly, ISP 101 can dial a telephone 
number for establishing a call via LEG 1 1 7. 

Other users may be located within a common cor- 
porate (or educational) environment 109, using, for 50 
example, terminals 110. 1 11 and 1 12. which are con- 
nected to a corporate (or educational) data network 

113. Corporate (or educational) data network 113 can 
be a local area network (LAN) or wide area network 
(WAN), which is connected to a corporate web server ss 

114. Server 114 provides its own information and/or 
interactive services to users using the terminals within 
the corporate (or educational) environment 109, while 
simultaneously being available to other users on the 
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Internet, The corporate web server 114 is connected to 
the Internet 102 over T1 digital transmission facilities 
126 or other digital facilities. The corporate, (or educa- 
tional) users can thus access the information and/or 
interactive sen/ices available on corporate web server 

1 14, or they can access over Internet 102 the informa- 
tion and/or interactive services available through ISP 
101, or any other ISP connected to the Internet 102, 
although not shown in the figure. Corporate web server 
114 is also connected to PBX 120, which is connected 
to LEG network 121 and to telephone set 1 19 and tele- 
phone set 1 21 , which are associated with terminals 1 1 0 
and terminal 111. respectively. Corporate web server 
1 14 can direct PBX 120 to dial a designated telephone 
number by means of a signal over line 1 23. 

LEG 106, LEG 117, and LEG 121 are each also 
connected to an interexchange (IXC) telephone network 

115. As known in the art, LEG networks 106. 117, and 
121 include switching systems capable of communicat- 
ing with and routing calls to and from IXC telephone net- 

. work 115. 

These switching systems are stored-program con- 
trol switches which contain the service logic required to 
intercept calls which require special handling by the IXC 
network 115, and to send queries to the IXC network 
115. IXC network 115 also includes similar switching 
systems which are involved in communicating with and 
routing calls to and from LEG networks 106. 117. and 
1 21 , and in routing calls over the IXC network 1 1 5. Such 
switching systems are well known and may be, for 
example, an AT&T 5ESS® switch or an AT&T No. 4 
ESS'" switch. 

IXC network 1 1 5 may also be connected to Internet 
102 over digital transmission facilities 124. FIG. 2 illus- 
trates functional components of IXC network 115. 
Switch 202 is coupled to LEG 106. As is well known, 
many of such switches are networked to provide com- 
munication of calls over the IXC network, and for pur- 
poses of clarity of exposition, switches networked to 
switch 202 and coupled to LEGs 117 and 121 are not 
shown in FIG, 2. A billing system 203 is associated with 
switch 202 to bill for calls routed over IXC network 115. 
In addition, web server 301 can direct a controller 302 to 
place a call through the switch 202. 

As previously discussed, charging for the informa- 
tion and/or interactive services that can be provided to a 
user from an ISP. such as ISP 101 . can present a prob- 
lem if the user has not established a financial billing 
relationship with the ISP Establishing such a relation- 
ship, or alternatively arranging payment by credit card 
over the Internet is likely to impose an impediment to a 
user who desires to access ISP 101, Generally, 
because of the lack of an acceptable, secure payment 
mechanism, many ISPs today do not charge for access 
to their information and/or interactive services, even 
though a substantial benefit is provided to their users. 
Thus, the establishment of a simple, secure payment 
mechanism can be of substantial financial value to an 
ISP who may receive hundreds, if not thousands, of 
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requests for information and/or interactive services 
each day. Furthermore, charging the user a fair fee for 
access to information and/or interactive services that 
users consider of value will not likely hinder the user 
from accessing the ISP that may have previously pro- 5 
vided free access. Moreover, many smaller ISPs which 
previously requested credit card information for access- 
ing their services, may experience increased requests 
and concomitant payment for their information because 
users will not be disinclined to send credit card informa- 10 
tion for payment. The increased demand may encour- 
age further entry of new SPs into the market, and thus 
may reduce user/consumer costs by increasing compe- 
tition. 

In accordance with the present invention, communi- is 
cation of credit card or other sensitive information 
(including electronically deliverable goods/services) 
between a user and an ISP on the Internet (or other 
data network) is effected by a separate telephone call 
connection (i.e., over the public switched telephone net- 20 
work) established between the user's Internet access 
provider and the ISR The establishment of the tele- 
phone connection is initiated in response to actions of 
the user. For instance, the user may estplicitly request a 
secure communication link or the user may request a 25 
page from the ISP that involves credit card or sensitive 
information. Alternatively, the user may send credit card 
or other payment information to the ISP to purchase 
electronically-deliverable goods/services from the ISP 
but may choose to forego an option of requesting a so 
secure communication link for sending the credit card or 
payment information to the ISP; nevertheless, in 
response to this payment, the terminating ISP may 
choose to complete the transaction (i.e.. by sending the 
electronically-deliverable good/sen/ices to the user) 35 
over a secure communication link. The Internet's 
access provider or the terminating ISP may first recog- 
nize that the user's actions require establishing the sep- 
arate telephone connection. In any event, the telephone 
connection may be established according to the user's 40 
originating Internet access SP calling the terminating 
ISP, resulting in the telephone connection charges 
being incurred by the originating Internet access SP 
and passed along to the user according to the normal 
established billing arrangement. Alternatively, the tele- 45 
phone connection may be established according to the 
terminating SP calling the originating SP, resulting in the 
telephone connection charges being incurred by the ter- 
minating SP (unless charges are "reversed" by, for 
example, using a special access number), who may so 
account for such costs in charges to users. After the tel- 
ephone connection is established, it is used for commu- 
nicating the sensitive information, after which the 
telephone connection is terminated. 

As may be appreciated from the foregoing, in ss 
accordance with practicing the present invention. ISP 
101 must be capable of receiving and/or transmitting 
telephone calls via LEG 1 1 7, and of associating such 
telephone calls with user's logged onto ISP 1 01 over the 
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Internet 102. Similarly, Internet Access provider 107 
must be capable of receiving and/or transmitting tele- 
phone calls via LEG 106, and of associating such tele- 
phone calls with user's logged onto Internet 101 via 
telephone connections to Internet Access Provider 107. 
FIG. 3 is a functional block diagram representation 
applicable to both ISP 101 and Internet Access Provider 
107 showing the relationship between the elements that 
interact with the Internet and those that interact with the 
telephone network. These elements include a web 
server 501 for providing information and/or interactive 
services on the Internet and a telephone line termina- 
tion unit 502, such as a PBX to terminate calls being 
placed between ISP 101 and Internet Access Provider 
107. calls from users to the Internet Access Provider 
107, ar»d other calls to or from ISP 101 (e.g.. credit card 
number verification calls) or Internet Access Provider 
107. A control unit 503 serves as the interface between 
the web server 501 and unit 502 for comparing and 
associating information provided over the telephone 
network with data received from the Internet, as well as 
for directing termination unit 502 to place calls in 
response to direction of web server 501. Gontrol unit 
503 may be embodied as a server or processor includ- 
ing, or separate from, web server 501, and which 
includes and controls a modem bank that is coupled to 
termination unit 502. Accordingly control unit 503 is 
cooperative with web server 501 to associate a user 
with a given telephone line. 

FIG, 4 is a flowchart illustrating a payment mecha- 
nism according to the data network security method and 
system of the present invention (for convenience, 
referred to hereinbelow as DNS) in which a secure tele- 
phone connection is established by initiation of ISP 101 
in recognition of certain actions by the user at terminal 
104. 

Actions by the user at terminal 104 implicitly or 
explicitly result In a request for access to a secure page 
for communication of credit card information to ISP 101 . 
(step 401). For instance, a user browsing the web may 
encounter the web site associated with ISP 101 which 
may require payment for searching any information it 
contains (i.e., for accessing the web site). Immediately 
upon this encounter, ISP 101 queries the user whether 
the user wishes to proceed with the search of the web 
site by paying a specified access charge. If the user 
responds affirmatively, the user has implicitly requested 
a secure page since the ISP 101 recognizes that the 
secure page is needed for communicating credit card 
payment information. Alternatively, ISP 101 may allow 
the user to search the web site information for free, but 
may require payment for any, or certain, information that 
the user wishes to download. Then, upon the user's 
confirmed request for downloading specified informa- 
tion (e.g.. documents, files, etc.). the user has implicitly 
requested a secure page since the ISP 101 recognizes 
that a secure page must be provided for payment. 

Alternatively, web pages provided by ISP 101 may 
include a DNS icon such that when the user invokes 
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(i.e.. clicks on) the icon, the ISP 101 is sent a message 
which explicitly requests that the current web page on 
terminal 104 be sent by the DNS (i.e., that the web page 
be considered a secure page). Similarly, although the 
user may have an option for invoking DNS in order to 
purchase electronically-deliverable goods/services, the 
user may send credit card or payment information to 
ISP 101 by a conventional mechanism (e.g., over the 
Internet). From the user's actions of paying for electron- 
ically-deliverable goods/services, ISP 101 recognizes 
that a secure communication link should be established 
to complete the transaction by delivering the electroni- 
cally-deliverable goods/services in a manner that pro- 
tects their value to ISP 101. 

Based on these explicit and/a implicit requests 
according to the user's actions and associated condi- 
tions, ISP 101 recognizes that a secure communication 
link must be established for the secure page and thus, 
initiates a protocol for establishing a telephone connec- 
tion by querying Internet access provider 107 via Inter- 
net 102 as to whether Internet access provider 107 
supports DNS (step 403). 

If Internet access provider confirms that it supports 
DNS, ISP 101 assigns a phone number from its modem 
pool and transmits this phone number via Internet 102 
to Internet access provider 107 (steps 405-407). Inter- 
net access provider 107 confirms receipt of the phone 
number, and calls ISP 101 via the received phone 
number (step 409). ISP 101 responds to this phone call, 
thereby establishing the telephone connection for 
secure communication of sensitive information (step 
411). Notably, since ISP 101 assigned the phone 
number for a particular user, ISP 101 knows that the 
phone call received at the pre-assigned number is for 
the particular user. Where each phone number of ISP 
101 is not rigidly assigned to a particular modem, ISP 
101 can compare the dialed number, as received by ISP 
101 according to the Dialed Number Identification Serv- 
ice (DNIS) of the telephone company, to identify and 
associate the received telephone call with a particular 
user identified over the Internet by a particular Internet 
network address. The term "network address" as used 
herein means the mechanism for identifying the user 
and could be the Internet protocol address or any other 
mechanism for identifying the user on the Internet or on 
any other network. For those situations in which the 
DNIS may not be available, and there is no rigid assign- 
ment of phone numbers with modems. ISP 101 supplies 
Internet access provider 107 with an identification 
number over the Internet which is transmitted by Inter- 
net access provider 107 via the established telephone 
connection to ISP 101 . ISP 101 can then identify the tel- 
ephone call with the particular user. Alternatively, Inter- 
net access provider 107 can send user identification 
information already known to ISP 101 (e.g., Internet net- 
work address) over the telephone connection, without 
having received some identification number/information 
from ISP 101. Thus, in any event, ISP 101 knows that 
any information received on the established phone con- 



nection is for the particular user, and similarly, that sen- 
sitive information to be sent to the particular user should 
be sent on the particular established phone connection. 
It is noted, that even where ISP 101 can identify a 

5 received telephone call as associated with a particular 
user independently of any information sent over the 
phone connection, it still may be advantageous for a 
user identification to be sent over the phone connection 
in order to confirm that the phone connection is associ- 

)o ated with the particular user. 

It is understood that rather than having Internet 
access provider 107 call ISP 101. ISP 101 could call 
Internet access provider 107 at a number provided to 
ISP 101 in conjunction with confirming DNS support. 

15 However, it is preferable that Internet access provider 
107 place the call to a phone number provided by ISP 
101 in order to thwart an eavesdropper who intercepts 
the phone number information and, if the phone number 
were transmitted from Internet access provider 107 to 

20 ISP 1 01 , could rapidly place a phone call to the Internet 
access provider 107 before ISP 101 places the call, and 
pretend to be ISP 101. thereby receiving the credit card 
or sensitive information from Internet access provider 
101. Further, it is more convenient for Internet access 

25 provider 1 07 to place the call so that the associated tel- 
ephone charges can be easily billed to the user. 

More generally, preferably the server that will first 
send credit card or other sensitive or valuable informa- 
tion should not provide the phone number to the other 

30 server which would place a call to that phone number, in 
order to avoid such disguised interception by an eaves- 
dropper who need not provide any payment or other 
sensitive or valuable information to the called server 
before receiving payment or other sensitive or valuable 

35 information from the called server (even if a protocol 
required the calling party to provide some confirmation 
or identification information to the called party, the 
eavesdropper likely will have intercepted or accessed 
this confirmation or identification information). 

40 By this mechanism, for a bi-directional transaction 
(e.g., payment for electronically deliverable goods/serv- 
ices), Internet access provider 107 could provide the 
phone number for ISP 101 to call if ISP 101 agrees to 
send its information first. Then, if an eavesdropper inter- 
ns cepted the phone number and placed the call to Internet 
access provider 107, the eavesdropper could not 
receive the payment or other sensitive or valuable infor- 
mation from Internet access provider since the eaves- 
dropper must first provide such information, which the 

50 eavesdropper does not have, to Internet access pro- 
vider 107. 

Of course, it necessarily follows that if there will be 
only uni-directional transfer of payment or other sensi- 
tive or valuable infonmation over the telephone connec- 
55 tion, then preferably the server that will send credit card 
or other sensitive or valuable information should not 
provide the phone number to the other server which 
would place a call to that phone number for reception of 
the call by the server that will send the payment or other 
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sensitive or valuable information. 

If the telephone connection is successfully estab- 
lished, credit card or other sensitive information is com- 
municated over the secure telephone connection (step 
413). This communication may involve sensitive irtfor- 5 
matibn communication from the user to ISP 101 and/or 
sensitive information communication from ISP 101 to 
the user (e.g., electronically deliverable goods/serv- 
ices). Prior to delivering electronically deliverable 
goods/services or authorizing delivery of non-electroni- io 
cally deliverable goods, terminating ISP 101 preferably 
verifies the credit card information by placing a separate 
telephone call to credit card verification facilities. 

Preferably, when sensitive information Is to be 
transmitted from the user to ISP 101, ISP 101 first is 
sends a confirmation to the user indicating whether 
DNS is active. For instance, it may not be possible to 
establish the DNS secure telephone connection 
because DNS is not supported by Internet access pro- 
vider 107, or because ISP 101 does not receive a call 20 
within predetermined period of time, etc. This confirma- 
tion allows the user to decide whether to send the user's 
sensitive information to ISP based on whether DNS is 
active. For instance, if DNS were inactive, the user 
would decide whether to send the credit card Info by 2S 
conventional enaypted communications over the Inter- 
net 1 02. or to abort payment. ISP 1 01 may preempt this 
option if electronically deliverable goods/services are to 
be delivered by iSP 101, since with DNS inactive ISP 
101 may not wish to deliver certain valuable goods over 30 
the Internet. 

Once the sensitive information has been 
exchanged, the DNS phone connection is terminated 
and ISP 101 returns the previously reserved phone 
number to the pool of available phone numbers that can 35 
be assigned (steps 415-417). Various mechanisms are 
possible for terminating the connection. For Instance, 
ISP 101 may drop the phone connection once ISP 101 
recognizes that all sensitive Information has been com- 
municated and that a subsequent user action does not ■ 40 
require further secure communications capability. Alter- 
natively. ISP 101 can communicate to Internet access 
provider 107 over the Internet the number of secure 
pages that will be transmitted, and Internet access pro- 
vider 107 may drop the connection after it has transmit- 4S 
ted the specified number of pages between user and 
ISP 101. Alternatively, Internet access provider 107 may 
drop the connection once It recognizes from monitoring 
the secure access field in the TCP/IP protocol of trans- 
mitted pages (packets) from the user to ISP 101 that the so 
page (packet) being transmitted from the user to ISP Is 
no longer designated a secure page. Alternatively, the 
user may be provided with an Icon which, when 
selected, sends a message to ISP 101 or to Internet 
access provider 107 to terminate the DNS connection 55 
such that further communications are over the Internet 

FIG. 5 is a flowchart illustrating another embodi- 
ment of the data network security method and system of 
the present invention In which a telephone connection is 
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established by initiation of Internet access provider 107 
in recognition of certain actions by the user at terminal 
104. 

Actions by the user at terminal 104 implicitly or 
explicitly result in a request for access to a secure page 
for communication of credit card information to ISP 1 01 . 
(step 501). For Instance, Internet access provider 107 
may include as part of a web browser a DNS icon such 
that when the user invokes (i.e., clicks on) the Icon, 
Internet access provider 107 is sent a message which 
explicitly requests that the current web page on terminal 
104 be sent by the DNS (I.e., that the web page be con- 
sidered a secure page), or that all subsequent transmis- 
sions, until otherwise notified by the user (e.g., by 
clicking on an icon to deactivate DNS) to ISP 101 occur 
over a DNS connection. Alternatively. Internet access 
provider 107 may monitor the secure access field in the 
TCP/IP protocol of transmitted pages (packets) from the 
user to ISP 101 to identify pages that should be trans- 
mitted by the DNS mechanism. 

Based on these explicit and/or Implicit requests 
according to the user's actions and associated condi- 
tions. Internet access provider 107 recognizes that a 
secure communication link must be established for the 
secure page and thus, initiates a protocol for establish- 
ing a telephone connection by querying ISP 101 via 
Internet 102 as to whether ISP 101 supports DNS (step 
503). 

H ISP 101 confirms that it supports DNS. ISP 101 
assigns a phone number from Its modem pool and 
transmits this phone number via Internet 1 02 to Internet 
access provider 107 (steps 505-507). The subsequent 
steps for establishing the connection proceed similarly 
to the previous embodiment. Internet access provider 
107 confirms receipt of the phone number, and calls ISP 
101 via the received phone number (step 509). ISP 101 
responds to this phone call, thereby establishing the tel- 
ephone connection for secure communication of sensi- 
tive information (step 51 1). If the telephone connection 
Is successfully established, credit card or other sensitive 
information is communicated over the secure telephone 
connection (step 513). Preferably, when sensitive infor- 
mation is to be transmitted from the user to ISP 101, 
Internet access provider 107 first sends a confirmation 
to the user indicating whether DNS is active. Once the 
sensitive Information has been exchanged, the DNS 
phone connection Is terminated and ISP 101 returns the 
previously reserved phone number to the pool of availa- 
ble phone numbers that can be assigned (steps SIS- 
SI 7). 

It may be appreciated, therefore, that the present 
invention provides many features, advantages, and 
attendant advantages for users and service providers 
on data networks. From the user's standpoint, a secure 
payment method Is available which frees use for previ- 
ously offen-ed but inadvisable transactions, thereby 
effectively providing the user with not only convenience 
but also with Information, services, and goods previ- 
ously not easily located or available external to the Inter- 
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net. From the ISP's standpoint, a method of receiving Claims 
payment is provided which facilitates increasing the 
market and demand for the supplied information and/or 1 , 
interactive services, and/or non-electronic goods or 
services. In addition, the secure communication method 5 
should result in increased use and development of the 
Internet, as well as reduced cost to the user. 

Although the above description provides many spe- 
cificities, these enabling details should not be construed 
as limiting the scope of the invention, and it will be read- 10 
ily understood by those persons skilled in the art that 
the present invention Is susceptible to many modifica- 
tions, adaptations, and equivalent implementations 
without departing from this scope. 

For instance, it is understood that the operational is 
flows shown In FIGs. 4 and 5 are merely illustrative, and 
the steps shown and described are not all essential for 2. 
practicing the Invention and are not limiting of additional 
or alternative steps that may be included for practicing 
various embodiments of the invention. For example, for 20 
additional security It may be desired to encrypt the 3. 
credit card information that is transferred over the tele- 
phone connection. Also, as discussed above, it may be 
appreciated that an ISP may rely on the DNS mecha- 
nism for enhanced security to transfer electronically 25 4. 
deliverable goods to a user who has purchased the 
goods, regardless of whether the DNS mechanism Is 
used (e.g.. because of on user choice, or unavailability 
of DNS to the user) to convey the user's credit card 
Information to the ISP 30 

In addition, although the present invention has 
been described hereinabove primarily In connection 
with the payment for information and/or interactive serv- 5. 
ices of the type generally available to a user on the 
Internet or other data network, the present invention 35 
could readily be applied to the provision to the user of 
any type of Information and/or services to a user on a 
first connection over a network of any type, with billing 6. 
being effected for that information and/or services on a 
second connection through the telephone network. 40 
Thus, the present Invention could could also be used for 
teleconferencing services, video sen^lces. TV services 
provided by cable and/or broadcast mediums, and inter- 
active services such as games, bulletin boards and chat 
mediums. It Is to be understood that the term "Informa- 45 
tion and/or interactive services" Is to Include all of these 7. 
types of information and services, and all other types 
not specifically mentioned. The network over which the 
Information and/or interactive services can be provided 
can be a wired or wireless data network, or a wired or so 
wireless analog network. The signals transmitted on the 
wired network can be electrical or optical in nature. 
Also, while the hereinabove embodiment has been 
described with reference to a telephone call being 
placed over an IXC network, the telephone call may be 55 
established within an LEC without special handling by 
IXC. where the ISP and Internet access provider are 
connected to the same LEC. 



A method for communicating information between 
an originating server and a terminating server 
which are connected over a data network by a first 
communications link, said method characterized by 
the steps of: 

establishing, while said first communications 
link is active, a separate connection between 
said originating server and said terminating 
server, said separate connection independent 
of said first communications link; and 
transmitting said information via the separate 
connection. 

The method according to claim 1 , characterized In 
that said separate connection is a telephone con- 
nection. 

The method according to claim 1 , further character- 
ized by the step of terminating said separate con- 
nection after transmitting said information. 

The method according to claim 1 , further character- 
ized by a user terminal connected to said originat- 
ing server, wherein said information is 
communicated between said user terminal and said 
originating server, thereby communicating the infor- 
mation between said user terminal and said termi- 
nating server. 

The method according to claim 4, characterized In 
that said step of transmitting said information 
Includes said user terminal transmitting payment 
information to said terminating server. 

The method according to claim 4, characterized In 
that said step of transmitting said Information 
includes said terminating sen/er transmitting elec- 
tronic information to said user terminal in response 
to payment information received from said user ter- 
minal via said first connection or said separate con- 
nection. 

The method according to claim 4, characterized in 
that said step of establishing a separate connection 
is invoked In response to actions at the user termi- 
nal. 



8. The method according to daim 1 , characterized in 
that said terminating server initiates the step of 
establishing the separate connection. 

9. The method according to claim 1 . characterized in 
that said originating server initiates the step of 
establishing the telephone connection. 

10. The method according to claim 1, characterized in 
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11. 



that said step of establishing the separate connec- 
tion includes the steps of: 

said originating server providing a telephone 
number to said terminating server over the first 
communications link on thei data network; 
said terminating server placing a call using said 
telephone number; and 
said originating server receiving said call. 

A method for communicating information between a 
user and a terminating server, said user connected 
to said terminating server via an accessing server 
which is connected to said terminating server over 
a data network by a first communications link, said 
method characterized by the steps of: 

at the terminating server: 

associating a telephone call with said user; 
establishing, in coordination with said 
accessing server, a telephone connection 
with said originating server; 
communicating said information with said 
accessing server via said telephone con- 
nection; 

at the accessing server: 

establishing, in coordination with said ter- 
minating server, said telephone connec- 
tion; 

associating said telephone connection with 
said user; 

communicating said information with said 
terminating server via said telephone con- 
nection; and 

communicating said information with sard 
user. 



12. A system for secure communication, said system 
characterized by: 

an originating server; 

a terminating server connected over a data 
network by a first communications link to said origi- 
nating server: 

means for establishing a second connection 
between said originating server and said terminat- 
ing server; and 

means for transmitting said information via 
the second connection while said first communica- 
tions link is active. 
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arate from said data network. 

15. The system according to claim 12, further charac- 
terized by a user terminal connected to said origi- 
nating server, and wherein said information 
includes payment information communicated to the 
terminating server from the user terminal. 

16. A method for communicating first sensitive informa- 
tion possessed by a first party to a second party, 
and communicating second sensitive information 
possessed by the second party to the first party, 
said first party connected over a data network to 
said second party by a first communication link, 
said method characterized by the steps of: 

transmitting a phone number from one of said 
first party and second party to the other one of 
said first party and second party; 
placing a call, using said phone number, from 
said other one of said first party and second 
party to said one of said first party and second 
party; and 

receiving said call at said one of said first party 
and second party to provide a secure tele- 
phone connection between the first party and 
the second party: 

transmitting said first sensitive information and 
said second sensitive information over said 
secure telephone connection; 

wherein when the first sensitive information 
is transmitted before transmitting the second sensi- 
tive information, said step of transmitting a phone 
number is from the first party to the second party, 
and wherein when the second sensitive information 
is transmitted before transmitting the first sensitive 
information, said step of transmitting a phone 
number is from the second party to the first party. 



13. The system according to claim 12. characterized in 
that said second connection is a telephone connec- 55 
tion. 



14. The system according to claim 12, characterized in 
that said second connection is over a network sep- 



JOCID: <EP 0801479A1 J_> 



EP 0 801 479 A1 




EP 0 801 479 A1 



FIG. 2 



TO AND PROM 
INTERNET 102 




TO LEG 106 



11 



EP 0 801 479 A1 



FIG. 3 



TO/FROM INTERNET 



WEB SERVER 



501 



FROM 
TELEPHONE 
NETWORK 



DATA-VOICE 
CONTROL UNH 



505 



TEl£PHONE UNE 
TERMINATION 
m (PBX) 



502 



EP 0 801 479 A1 



FIG, 4 



USER REQUESTS ACCESS 
TO SECURE PAGE 



RECnVlNG SERVER RECOGNIZES 
THAT REQUESTED PAGE IS TO BE 
SECURE, ASKS SENDING SERVER 
IF n IS BIS EQUIPPED 



SENDING SERVER VERIRES 
BIS COMPATIBILITY 



RECEIVING SERVER RESERVES PHONE 
NUMBER FROM ITS POOL, TRANSMITS 

PHONE NUMBER TO SENDING SERVER 



SENDING SERVER, CONFIRMS. CALLS 
RECEIVING SERVER VIA RECEIVED NUMBER 



RECEIVING SERVER ANSWERS. 
KNOWS WHO IS CALUNG 



SENSITIVE INFORMATION IS 
EXCHANGED VIA THE TELEPHONE UNE 



401 



403 



405 



407 



409 



411 



413 



AFTER INFORMATION EXCHANGE, 
PHONE UNE DROPPED 



415 



PREVIOUSLY RESERVED PHONE 
NUMBER RETURNED TO POOL 



417 



13 



EP 0 801 479 A1 




European Patent 
Office 



EUROPEAN SEARCH REPORT 



Application Number 

EP 96 12 0794 



DOCUMENTS CONSIDERED TO BE RELEVANT 



Category 



CitBtion of document with indkatioo, where appropriate, 
of retevant pasnees 



Relevant 
to ctaim 



CLASSIHCATION OF THE 
APPUCATION OnUCLfc) 



GB 2 283 154 A (QUEST STANDARD 
TELEMATIQUE) 

* page 5, line 7 - page 9, line 14 * 

* figure 2 * 

US 4 996 685 A (T.R.FARESE ET AL) 

* column 6, line 58 - column 8, line 37 * 

EP 0 701 349 A (TRT) 

* claim 1 * 

* abstract * 



1-16 



H04L9/32 
H04L29/00 



1-16 



1-4. 
12-14 



TECHNICAL FIELDS 
SEARCHED aiu-at) 

H04L 
G06F 
G07F 



The present search report has been drawn up for all dainv 



1 Usee sf tank 


Otfe df atwfUikM •! Ike u«xk 




1 THE HAGUE 


3 June 1997 


Canosa Areste, C 



6 

3 



at 
O 



o 
w 



X 
Y 

A 
0 
P 



CATEGORY OF QTED DOCUNfENTS 

particulaiiy rdevant If t^ea aloae 
pirttculariy rdevut if conbincd with aaotho- 
docunent of the sane atcf^ry 
lecbnological background 
nOD-writico disclosure 
intemcdiatc document 



T : theory or prtndple underlying the invention 
E : earlier patent document* but published on, or 

after lb« filing dale 
D : document died in the application 
L : document dted for other reasons 



& : member of the same patent family, corresponding 
docament 



14 

DOCI0:<EP 0801479A1 I > 



